If you enable ransomware services in a recovery plan, you can run it to recover from a ransomware attack, or run it as a ransomware recovery test.

When you run a plan for ransomware recovery, you enable all VMs included in the plan to be analyzed and validated in a network-isolated recovery SDDC with restricted firewall rules, disconnected from the internet. You can select VMs from the list included in the plan, choose a snapshot from a protection group, and start validating VMs.

When you start VMs on the recovery SDDC, a security sensor is automatically installed to enable security and vulnerability analysis. The sensor helps you detect malware, repair bad files, and patch software for the VM from the snapshot history.

For automatic sensor installation, VMware Tools version 11.2 or later must be installed on the VM, and must include the Carbon Black Cloud launcher.

Windows VMs already have the Carbon Black Cloud launcher embedded into the VMware Tools executable.

For Linux VMs, the launcher is not included so you must manually install the Carbon Black Launcher for Linux VMs if you want automated sensor installation.

Once the launcher is installed on a VM, the sensor can be installed automatically when you run a ransomware recovery plan.

For information on manual sensor installation, see Manual Sensor Installation.
Note: If you do not have ransomware recovery services enabled, VMs are disconnected from internal networks but will still have external outbound access to the internet.

Uninstalling Existing Sensors

Before the security sensor can be installed when you run a plan, you must uninstall any existing security sensors or software. You also must confirm that you have uninstalled existing security sensors before you can begin ransomware analysis. If any non-VMware Live Cyber Recovery security software is left on VMs, it can potentially generate alarms and events for the production environment. For more information, see Uninstalling Sensors.

Connectivity to Carbon Black Cloud URLs

The network segment the VM is connected to must have internet access, so the VM can reach the security services location within a specific Carbon Black Cloud points of presence (PoP). Make sure that your network and in-guest firewalls do not block access to any Carbon Black Cloud POP URLs.

Ransomware Recovery Test

A ransomware test is the same as ransomware recovery, but a ransomware test has no option to restore VMs on a protected site. Ransomware recovery testing does not require powering off production VMs and pausing of snapshots.

Snapshot Expiration Paused While Running the Plan

When you start a ransomware recovery plan, VMware Live Cyber Recovery pauses all snapshot expiration for snapshots taken prior to starting the plan. Existing snapshots are deleted upon expiration, regardless of protection group retention policy, until the plan is ended. Any subsequent snapshots taken since the starting of the plan will expire and be deleted according to the configured retention policy.

When the plan is ended, snapshots expiration will resume according to the defined protection group retention policy.

Prerequisites

Before you can run a recovery plan for ransomware, you must:

If you need to use the recovery SDDC to perform ransomware recovery and also run production workloads at the same time, you can create a VMware Cloud gateway to use for running VMs that have been cleansed during ransomware recovery. This way, you can use one gateway for ransomware recovery (the default gateway), and use a second gateway to use for running recovered production VMs.

For more information, see Creating a VMware Cloud Gateway for the Recovery SDDC.
Note: If your SDDC security settings contain any distributed IDS/IPS rules, ensure that no CloudDR* groups are included in those rules, or it could interfere with ransomware recovery plans being able to complete.

Procedure

  1. From the left navigation, select Recovery plans.
  2. Select a recovery plan from the list.
  3. On the recovery plan page, click the Ransomware Recovery button. Or, click the Ransomware Test button if you only want to perform a test.
    Run a ransomware recovery plan buttons.
  4. In the Ransomware recovery dialog box, click the Start Ransomware Recovery button.

What to do next

Next, you can start VMs on the recovery SDDC so you can begin the validation and recovery process.